3 hours 41 minutes
alright In part three, we're going Thio, Learn about the Windows A P I continue looking at RPC file and learn about the Windows Registry.
In the last section, we examine P E files on the disk using CFF Explorer. However, when we're performing our Mauer analysis, we have another type of file that's similar to and execute Herbal and these air library files now library files, whole common functions and or a P i s that could be shared and re used by other programs.
And the file structure is similar to that of a P E.
In programming. When a execute herbal is compiled, the compiler generates object code. After generating the object code, the compiler also invokes the linker. Now, don't worry really about that right now, we just want to know that one of the main tasks of the linker
is to make code of our library functions available to our program.
The Linger can do this in two ways.
It can do it by copying the library code to our object file directly or by making it so that the complete code of the library is made available at runtime.
In the case of copying the library code. Tow our object file thes air called static libraries. And in the case of making our code available at runtime, these are called dynamic libraries. As far as our class is concerned, we'll be looking at Windows dynamic libraries or deals,
as you can see here in Image number one, the P E is loading the malware DLL, and it's a company function into the PES memory space.
An image number two. We have a dynamic length library.
Dynamic link libraries consists of functions that could be used by other excusable programs, in this case, the malware e x C. But the question is, is how do we obtain list of functions that are made available by the specific DLL, as well as where they're loaded in memory? So to obtain this information, we can use the deal else Export directory.
As you can see, an image number two.
The DLL and its print malware message function can be used by R P E sample on the left and the print malware message functions. R V A is at 13 C six from its base address.
As an exercise, we can view the properties of a dll with CFF Explorer So if we take our dll and we open it in CFF Explorer,
the first thing that we can dio is we can make sure the file is dll by viewing the characteristics of the dll by clicking in the file header tree on the left
And if we click the characteristics on the right, you can see that the file in fact, is a DLL.
We can also examine the exports of the DLL by clicking in the export directory in our tree on the left and here we can see that this particular DLL exports the print Mauer message
and the function the R V A for that function is 13 c six.
This would be 13 c six plus the DLL base address to view the imports of our accompanying P E file. We can also open it in CFF Explorer and we can navigate to the import directory here on the left.
Now, as you can see, the import directory contains the module malware DLL, which gets loaded into the PES memory address space at 8390 from the mall wears base address
now to verify the address of the export function in memory. We can use the PES import dress table of the DLL. In this case it's 83 90. We can add this to the PES base address and within process Hacker. So let's open up process hacker.
We can view that the export function is mapped correctly within the address space.
So what we can do here is navigate to the PES base address
and locate hex 408390 that, of course, falls between the 7000 range and the 9000 range
so we can inspect this memory region. In this case, it starts from zero right, so we need to go to offset 1390
and we can see here that the export address
is 13 c six and because of Indian ISS, it's mapped backwards.
Don't worry about Indiana's for now, we'll talk about it in the upcoming sections. Now you may ask yourself, Well, why is all this important?
Well, there's times where malware authors will hijack a P I calls made by legitimate software.
They do this by replacing the address of the legitimate AP ice in the import address table of process with an address of his or her malware code, meaning that you can take and redirect all of the a p I calls made by a process to that malicious code or function.
As we've been looking at our DLL, you can begin to understand which libraries are created by malware authors and which ones that provide different windows functionality. As we analyze, different samples were going to encounter a lot of these different windows AP ice, of course, but not every single one is going to be used maliciously.
That's why it's pretty important for us to know which a P I s are being used and in what context.
So to determine which ones are being implemented for malicious purposes, we can use a combination of static analysis and dynamic analysis techniques to help us understand which AP eyes were getting loaded and implemented as the program runs.
Additionally, we can reference the Microsoft documentation for Windows AP eyes and DLL functions that were curious about as an example. By looking at the create file function on the M s d n website, we could get a pretty good idea of how the A p I is used
what parameters the function accepts
and the data types for those parameters.
It's also important to understand the parameters because, while analyzing malware, these parameters define how and why the a p I is being used.
So to truly understand a windows ap I function, you should understand the arguments that accepts from the function caller.
As you can see, the A p I takes several arguments which determine its functionality.
Not only can create file, create new files, but it can also open an existing file. This difference can change depending on the value that's passed to the function in the DW. Create disposition parameter. Now there are a lot of
windows AP is available, and you're going to encounter a lot of them as you analyze your different samples
in the word cloud. Here, we've got a list of A P S. You probably need to remember
These are the most common MP ice related to performing operations on files performing operations on the Windows Registry, Virtual Memory processes and Threads Deal Els Services in New Texas.
The Windows Registry is a database which stores different settings for the Microsoft Windows operating system and for applications that use thes system registry.
Some of the applications include user interfaces, security accounts, manager services, the colonel and device drivers. In essence, the Windows Registry contains information, settings and options for programs and hardware installed the windows,
for example. When a specific program is installed like word or Adobe Reader, a new key containing setting, such as the programs location version, how to start the program and the associative file types are all added this case to the Windows Registry.
The Windows Registry itself is stored in what we call high files, and the structure of the high files contains two basic elements. Thes are keys and values.
Now the registry keys are container objects similar to folders in the registry. Values are objects similar to files.
Each key may contain any number of values and sub keys, and these are reference similar to Windows Path names using back slashes to indicate the associate levels within the hierarchy.
The high files are found in the Windows registry, and it could be seen in the screenshot below, and we can also view it on our system, using a tool like Reg at it
in a screenshot below the registry. Key names are found in the hive on the left, with the corresponding names on the right.
Now it's common that now where will attempt to use the registry in some way, such as in instances where it wants to remain running on the system. But more on that as we explore Mauer artifacts and persistence mechanisms.
Okay, so now that we've briefly reviewed some of the windows components that were going to be most interested in, let's take a look at some common now we're behaviors.